The FBI shuts down a millionaire online fraud campaign

The Federal Bureau of Investigation (FBI), Google and multiple cybersecurity and digital forensics firms worked together to collapse one of the most complex digital advertising fraud schemes ever seen, which managed to infect more than 1.7 million computer equipment with the aim of generating fake clicks and deceiving online advertisers for years, so that the fraud operators achieved gains by tens of million dollars.

The fraudulent campaign, known as 3ve, has been active since 2014, at least, according to experts in digital forensics from the International Institute of Cyber Security. However, the malicious activities of its operators peaked last year, turning it into a large-scale business and generating about $30M USD in profits for the cybercriminals.

Meanwhile, the US Department of Justice (DoJ) reported that it has initiated an indictment of 13 criminal charges against 8 people in Russia, Kazakhstan, and Ukraine, who allegedly worked as campaign operators.

The 3ve operation employed various tactics during its activity time, such as creating its own botnets, spoofing websites, hijacking IP addresses, using proxies to hide real IP and infecting victims’ computers with malware, all with the purpose of generating fake clicks in online advertising.

According to specialists in digital forensics, 3ve involved 1.7 million computers infected with malware, more than 80 servers and over a thousand fake websites through more than one million compromised IP addresses to generate from 3 to 12 billion ad bids requests daily.

According to the reports of Google and the participating cybersecurity firms, this fraudulent scheme was named 3ve because it is based on a set of three different sub operations, with each taking its own measures to avoid detection, in addition, each one is based on different architectures that use several components.

“Operators constantly changed their methods to hide 3ve bots, allowing this operation to keep growing even after its traffic was detected. When they were blocked in any site, they would reappear in a new one,” Google mentions. The three operations used in 3ve are:

Boaxxe Malware Scheme (3ve. 1)

The first of the three 3ve sub operations were powered by botnets operating in data centers across Europe and the US. This operation used the Boaxxe botnet, also known as Miuref and Methbot, to obtain the IP addresses used to send the traffic proxy of the infected devices in the data centers and to visit fake and real web pages.

As the time run, the operation transcended false requests on desktops, also reaching traffic on mobile devices with Android.

Kovter malware Scheme (3ve. 2)

Here they used fake domains to sell fake inventories to advertisers. However, instead of using proxies to hide, campaign operators used a custom navigation agent on more than 700k computers infected with Kovter malware.

The third sub operation associated with 3ve was similar to 3ve.1. Bots were set up in some data centers, but to cover their tracks, operators used the IP addresses of other data centers, as proxies, rather than residential computers.

End of Operation 3ve

After 3ve’s activity grew in 2017, Google, along with other digital forensics firms that had detected the operation, began its shot down operation.

Thanks to this joint work, the FBI managed to seize 31 domains and 89 servers that were part of the structure of 3ve. Private organizations also helped blacklisting the 3ve infrastructure involved in the advertising fraud scheme and traffic to malicious domains.